Microsoft explores Australian CISOs' most common problems in cybersecurity

Australia needs at least another 500 more cyber graduates to meet existing demand for cybersecurity as CISOs tackle the shortage with a variety of methods that don’t necessarily require a background in computer science.

That is just one of the revelations from Microsoft’s report titled Navigating the new cybersecurity threat landscape, which analyses common trends and issues in Australia’s security sector.

According to the Australian Cyber Security Centre, 90% of companies listed on the ASX have experienced a data breach and overall, cybercrime costs the economy up to $17 billion per year.

With statistics like those presenting a stark warning to Australian businesses, Microsoft brought together a group of CISOs from organisations including Telstra and the Department of Human Services (DHS).

The aim was to discover how cyber threats affect businesses and how they are tackled. The discussion also looked at how businesses are finding and retaining cyber talent in a highly competitive market; how a stronger public-private partner can benefit everyone; and how security is discussed in the boardroom.

The report found that in addition to the 500 graduates Australia needs, CISOs are doing their best to implement graduate training programs and branching out to hire a mix of talent.

Telstra hires approximately 50 graduates every year. After finding that it was difficult to integrate security skills with network teams, the company now embeds professionals in those roles. Telstra says it’s a better solution, but there’s still work to do.

The department of Human Services also faced the stark reality that there weren’t enough trained security graduates in Canberra to meet its requirements. They chose to recruit people straight from school and train them internally.

“Some of our best hires have been people coming out of the Australian Defence Force. These people are strategic thinkers, they have built-in loyalty and they bring a host of other skills that are hard to measure in aptitude tests,” adds DHS CISO Narelle Devine.

DHS’ cybersecurity team also brings together psychologists, lawyers and politics graduates. For education and awareness, a person with a communications major was a better fit, rather than a person with a major in cyber.

“It will probably be two years before we know if this strategy is going to work. We know people will leave because these roles are in high demand but we did the maths and we’ll be ahead if we can keep one in three of those going through training.”

The report also states that the cyber threat landscape in Australia puts phishing attacks, user error, the Internet of Things, and threat groups like the Shadow Brokers at the forefront of emerging threats.

ANZ Banking Group CISO Steve Glynn believes that tracking the number of people who click on a phishing email is to measure the wrong metric.

“We should be focusing on the number of people who report a phishing attack because that turns everybody into a potential early warning system like canaries in a coalmine. That’s a cybersecurity metric we’d all like to see increasing,” Glynn says.

Queensland Health CISO John Borchi is concerned about the Internet of Things in the medical space. Managing the network of critical devices is getting more difficult as healthcare moves out of controlled hospital environments, he says.

DHS is concerned about threat groups and their potential appetite for destruction.

“Everything is moving so quickly but my biggest concern is that The Shadow Brokers are sitting on some clever stuff right now and just waiting to pull the trigger. Some of the global attacks we’ve seen recently were really unsophisticated. What’s coming next?” Devine asks.

The report claims that Australian CISOs are well connected. Define says that she talks to other CISOs every day – a statement that challenges the common perception that competing organisations don’t share information with each other.

The Australian Cyber Security Centre will move to a purpose-built facility this year – a move that will present greater collaboration.

“At its best, security is a team sport, and everybody needs to be part of the solution. They should participate in their own rescue and security should be a celebrated part of organisational culture,” comments Microsoft’s VP of strategic, enterprise and security, Ann Johnson.

While Australian boardrooms may be bringing cybersecurity to the table, some board members still don’t understand cyber.

The report suggests that communication is a major part of tackling breaches. Quick and clear response is crucial, even when organisations don’t have all the answers. Incident response plans are important for communicating with staff, customers, partners, media and stakeholders.